By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Not only does it enable mobile mailbox access, it can also be used for corporate mobile device management. A series of ActiveSync policies built into Exchange Server allows administrators to provision mobile devices according to the corporate security policy.

While many admins deploy Exchange Server for ActiveSync's mailbox policies, such as Mobile Device Mailbox Policies in Exchange 2013, that's not the only option for managing mobile devices. Windows Intune is another option. But ActiveSync Mailbox Policies and Windows Intune offer similar mobile device management capabilities. So, which tool should you use?

The answer to this question ultimately depends on your organization's needs. If you're already using ActiveSync Mailbox Policies to manage mobile devices and Exchange Server is adequately meeting all of your MDM needs, there's probably no reason to use Windows Intune. However, if you're just beginning to evaluate your MDM options, it's a good idea to look at both technologies to see which is a better fit.

What does Exchange 2013 bring to the table?

Exchange 2013's mobile device policies are largely security-related. For example, it's possible to specify password length and complexity and to implement an automatic device wipe after a specified number of failed password attempts.

Although the Exchange Administrative Center exposes a limited number of policy settings, the Exchange Management Shell has more available. These additional settings are primarily oriented toward mobile device hardware usage. For example, you could use a mobile device policy to disable a device's camera or to turn off Bluetooth.

What does Windows Intune offer Exchange admins?

ActiveSync mailbox policies are primarily designed to secure mobile devices, but Windows Intune is more focused on MDM. For example, Windows Intune provides health alerts for mobile devices and can be used to deliver applications. Just as Exchange uses ActiveSync to apply policy settings to mobile devices, Windows Intune also allows for comprehensive policy management. In fact, Windows Intune makes it possible to take advantage of Active Directory security groups.

An important caveat about mobile device manufacturers

Regardless of whether you choose Exchange Server or Windows Intune for your MDM needs, there is one extremely important caveat: Mobile device manufacturers offer support for ActiveSync policies as they see fit.

Each device manufacturer or mobile OS developer can pick and choose the ActiveSync policy settings it wishes to support. A manufacturer might choose to support the password-related policies but withhold support for policies related to device encryption. Because Exchange and Windows Intune depend on ActiveSync policies at some level, different device types can lead to better management of some devices than other types.

Even some of Microsoft's own devices lack support for several policies. The policy setting that enforces storage card encryption, for example, is not supported on Windows Phone 7, 7.5 or 8 devices. Similarly, your ability to apply policy settings will vary widely among non-Microsoft devices. This article outlines policy support among common mobile operating systems.

Currently, Windows Intune has more comprehensive MDM capabilities than those available through Exchange. But Windows Intune isn't always the best choice. It's designed to work with Windows Phone 8, Windows RT, iOS and Android devices.

In contrast, Exchange ActiveSync mailbox policies can be applied to any device that allows ActiveSync client; therefore, Exchange can manage more devices than Windows Intune. Administrators will have to consider the level of ActiveSync policy support that may or may not be present on some of the less popular devices.

About the author:Brien Posey is an eight-time Microsoft MVP for his work with Windows Server, IIS, Exchange Server and file system storage technologies. Brien has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once responsible for IT operations at Fort Knox. He has also served as a network administrator for some of the nation's largest insurance companies.

2 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I find Intune's polices are woefully inadequate. You can directly manage only iOS and Windows Phones. Android is managed by hooking to Exchange ActiveSync policy. At least on iOS you can deploy a management profile, but on Windows Phones you cant do simple things like block Skydrive, camera or Wi-Fi.

As the article states, one the advantages of ActiveSync policies are that they are "standard" across all device types (and probably form factors in the future) - at least the device password is.You can easily determine which of your users devices support your ActiveSync policies using http://www.activesyncdr.com